Skip to content

fix: handle unrecognized BSM tokens causing empty audit.jsonl#1

Merged
feniix merged 10 commits into
mainfrom
fix/evp-45-bsmtap-parse-failures
Apr 21, 2026
Merged

fix: handle unrecognized BSM tokens causing empty audit.jsonl#1
feniix merged 10 commits into
mainfrom
fix/evp-45-bsmtap-parse-failures

Conversation

@feniix
Copy link
Copy Markdown
Member

@feniix feniix commented Apr 21, 2026

Summary

  • Add parsers for three BSM token types that appear in virtually every macOS audit record but were unhandled: AUT_DATA (0x21), AUT_IN_ADDR (0x2a), AUT_IDENTITY (0xed)
  • The default branch in the token dispatch skipped the entire remaining record on any unrecognized token, producing zero JSON output
  • AUT_IDENTITY is fully parsed into a new identity field on AuditEvent (signerType, signingId, teamId, cdhash)

Closes EVP-45

Test plan

  • 8 new tests covering all three token types (byte/short/int32/int64 data units, IPv4 address, identity with populated and empty fields, realistic combined record)
  • All 54 tests pass
  • Deploy to target host (adra) and verify audit.jsonl is no longer empty

feniix added 10 commits April 21, 2026 16:37
@feniix
feat: add AuditIdentity type for macOS code signing tokens
2551ecd 
Add AuditIdentity interface (signerType, signingId, teamId, cdhash)
and identity field to AuditEvent to support AUT_IDENTITY (0xed) tokens.
@feniix
fix: handle AUT_DATA, AUT_IN_ADDR, AUT_IDENTITY BSM tokens
0e8eed1 
These three token types appear in virtually every macOS audit record
but were unhandled, causing the parser to skip entire records and
produce zero JSON output.

- AUT_DATA (0x21): skip variable-length arbitrary data
- AUT_IN_ADDR (0x2a): skip 4-byte IPv4 address
- AUT_IDENTITY (0xed): parse code signing identity into event

Closes EVP-45
@feniix
test: add coverage for AUT_DATA, AUT_IN_ADDR, AUT_IDENTITY tokens
06b0e59 
8 new tests covering all three previously-unhandled token types:
- AUT_DATA with byte, short, int32, and int64 unit sizes
- AUT_IN_ADDR IPv4 address token
- AUT_IDENTITY with populated and empty fields
- Realistic macOS execve record combining all new tokens
@feniix
fix: address PR #1 review feedback (EVP-45)
9dfe275 
- src/bsm-parser.ts: add bounds check to parseData for malformed tokens
- src/bsm-parser.ts: add comment explaining basicUnit fallback behavior
- src/bsm-parser.ts: add bounds checks before getUint16 calls in parseIdentity
- src/bsm-parser.test.ts: fix Biome formatting
@feniix
style: document OpenBSM AUR_* constants in DATA_UNIT_SIZES
25ad7fa
@feniix
fix: add missing identity field to writer test fixture
307245b
@feniix
docs: add CLAUDE.md with commands, architecture, and gotchas
ae41f22
@feniix
docs: match pre-push command to CI (bun test --coverage)
f6185cb
@feniix
ci: sync CI and release workflow test gates
4015b27 
- Pin bun-version to 1.3.11 in both workflows
- Run tests with --coverage in release workflow to match CI
@feniix
chore: bump version to 1.0.3
e29d8c8
@feniix feniix merged commit b14250d into main Apr 21, 2026
1 check passed
@feniix feniix deleted the fix/evp-45-bsmtap-parse-failures branch April 21, 2026 20:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@feniix